Iron Tiger APT attacks employed messaging app MiMi

 Trend Micro researchers uncovered a new campaign conducted by a China-linked threat actor Iron Tiger that employed a  backdoored version of the cross-platform messaging app MiMi Chat App to infect Windows, Mac, and Linux systems.

The Iron Tiger APT (aka Panda Emissary, APT27, Bronze Union, Lucky Mouse, and TG-3390) is active at least since 2010 and targeted organizations in APAC, but since 2013 it is attacking high-technology targets in the US.

Trend Micro experts discovered a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” While HyperBro is a malware family that is associated with APT27 operations, the Mach-O sample appears to be a new malware family targeting the Mac OS platform. The researchers also found samples compiled to infect Linux systems.

“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” reads the analysis published by Trend Micro. “Further investigation showed that MiMi chat installers have been compromised to download and install HyperBro samples for the Windows platform and rshell samples for the Mac OS platform.”

The Chinese hackers compromised the installers of the chat application MiMi and the malicious code was used to download and install HyperBro samples for the Windows operating system and rshell for Linux and macOS.

This appears as a supply chain attack because the Iron Tiger APT compromised the server hosting the legitimate installers for this MiMi chat application. 

The rshell executable is a standard backdoor that allows operators to collect OS information and send it to the C2 server, receive commands from the C2 server, and send command execution results back to the C2.

The experts noticed that running the DMG installer on a macOS system, the user is displayed several warnings before the backdoored app is installed, such as an alert about an unverified developer.

Both the legitimate and the backdoored versions of the installer were unsigned, this implies that Mac users that want to install MiMi chat were probably used to all these extra steps to finally install it and ignore the warnings.

This is the first time the attackers attempted to target macOS alongside Windows and Linux systems.

Experts found 13 different systems infected by this campaign, eight were compromised with she’ll, six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines. The remaining ones were infected with HyperBro (four in Taiwan and one in the Philippines). 

Below is the timeline of the campaign:

• June 2021: Oldest Linux rshell sample found
• November 2021: Threat actor modified version 2.2.0 of Windows MiMi chat installer to download and execute HyperBro backdoor
• May 2021: Threat actor modified version 2.3.0 of Mac OS MiMi chat installer to download and execute “rshell” backdoor

The analysis also includes a list of Indicators of Compromise (IOCs) for this campaign.

“We attribute this campaign to Iron Tiger for multiple reasons.” concludes the analysis.

-Prameet